An agent-based English auction protocol using Elliptic Curve Cryptosystem for mobile commerce

An agent-based English auction protocol using Elliptic Curve Cryptosystem

for mobile commerce

Yu-Fang Chung

a,⇑

_{, Yu -Ting Chen}

b

_{, Tzer-Long Chen}

c

_{, Tzer-Shyong Chen}

d

a

Department of Electrical Engineering, Tunghai University, Taiwan

b

Department of Computer Science, Chiao Tung University, Taiwan

c

Department of Information Management, Taiwan University, Taiwan

d

Department of Information Management, Tunghai University, Taiwan

a r t i c l e

i n f o

Keywords: Mobile agent

Elliptic Curve Cryptosystem English auction

Anonymity Public verification

a b s t r a c t

Rapid development of the Internet and the extensive use of mobile phones have increased demand for mobile devices in Internet auctions. This trend is acting as an incentive to develop an auction model for mobile-based environment. Recently, Kuo-Hsuan Huang proposed a mobile auction agent model (MoAAM), which allows the bidders to participate in online auctions through a mobile agent. He used modular exponentiation operations in his method. As a result, the processing time for key generation, bidding, and verification were long. Thus, we propose to add the concept of Elliptic Curve Cryptosystem (ECC) onto MoAAM, because ECC has low computation amount and small key size, both of which will aid to increase the speed in generating keys, bidding, and verification. In terms of reduction of computation load on mobile devices and auction-manager server, the proposed method will make online auction sys-tem more efficient as well as more convenient to use. This paper mainly uses the English auction protocol as the key auction protocol. The protocol consists of four entities: Registration Manager (RM), Agent House (AH), Auction House (AUH), and Bidders (B). The Registration Manager registers and verifies Bidder identity. The Agent House manages the agents and assigns public transaction keys to Bidders. The Auction House provides a place for auction and maintains all necessary operations for a smooth online auction. Bidders are buyers who are interested in purchasing items at the auction. Our proposed method conforms to the requirements of an online auction protocol in terms of anonymity, traceability, no framing, unforgetability, non-repudiation, fairness, public verifiability, unlinkability among various auction rounds, linkability within a single auction round, efficiency of bidding, one-time registration, and easy revocation.

Ó 2011 Elsevier Ltd. All rights reserved.

1. Introduction

Technical advancement of the Internet in recent years has man-aged to successfully replace offline auction with online auction, which is more far reaching, more convenient, more powerful, and more capable than the conventional way of holding an auction sale. Today, online auction protocols are applied in auctions that are held over the Internet. These auctions include open auction and sealed-bid auction. Open auction can be subdivided into two types: English auction and Dutch auction (Huang, 2003). In an English auction, all bidders place their bids on the basis of the reserve price that is preliminarily set by a host. When everything is in place, the host starts the bidding process. As bidding progresses, the bid prices go increasingly higher. When the auction time ends, the per-son with the highest bid wins. In a Dutch auction, bidders place

their bids for lower prices. The auction closes when there is a bidder who is willing to pay the final price (Lee, Chen, & Hung, 2000). The bidding process in English auction is more transparent, bidders can observe the bids made by their competitors during the entire auction process and make immediate adjustments to his/her bid. Therefore, bidding is generally highly competitive under this kind of protocol, as the protocol would force the bid price to in-crease if the goods are desirable. Thus, we can say that the English auction protocol is more efficient as a good protocol helps auction goods get a higher price (Peng, Chang, & Chen, 2008). As a result, the expected return on the goods auctioned off using English auc-tion protocol is generally higher than that of other protocols. So, most auction-based websites, such as eBay and Yahoo! Auctions, operate on English auction. Therefore, this paper will primarily fo-cus on how to apply the English auction protocol in mobile commerce.

Omote and Miyaji (2001)proposed to use the bulletin board for

verification in English auction protocol, declaring that it can satisfy 0957-4174/$ - see front matter Ó 2011 Elsevier Ltd. All rights reserved.

doi:10.1016/j.eswa.2011.02.039

⇑Corresponding author. Tel.: +886 4 23590121. E-mail address:[email protected](Y.-F. Chung).

Contents lists available atScienceDirect

Expert Systems with Applications

j o u r n a l h o m e p a g e : w w w . e l s e v i e r . c o m / l o c a t e / e s w a

the security requirements of English auction. Their method was

based on a concept proposed byWu, Chen, and Lin (2002) and

Nguyen and Traore (2000), who utilized group signatures in

Eng-lish auction protocol to raise the security level for the bidders. However, for security reason, Omote and Miyaji’s method does not publish any bidder information, because they understood it could cause a security breach to privacy. Above all, it would violate the purposes of anonymity, fairness, and unlinkability among var-ious auction rounds, and other characteristics that are required in an English auction protocol. Later,Lee, Kim, and Ma(2001) made improvements on Omote and Miyaji’s method. It allowed bidder’s identities and information to be published, and at the same time, the relation among various rounds of auction for the same bidder was reinforced. Thus, the bidders need not worry about breach of privacy when their identity information is posted on the bulletin board. In 2003,Chang and Chang (2003)proposed a much simpler and more effective method for providing anonymity in English auc-tion. However,Jiang, Pan, and Li (2005) pointed out that Chang et al.’s method was not secure enough to protect bidders’ privacy because the bidder had no way of knowing whether the auctioneer was the same or not. Subsequently, Chang et al. utilized an alias to resolve the situation (Chang & Chang, 2006).

Rapid developments in mobile phones have caused an increase in the demand for mobile commerce. Recently, Kuo-Hsuan Huang proposed a mobile auction agent model (MoAAM) (Huang, 2008), which allows the bidders to participate in online auctions through mobile agents. Huang’s method employs modular exponentiation operations, which unfortunately increases the processing time for key generation, bidding, and verification. Thus, we propose to add the concept of Elliptic Curve Cryptosystem (ECC) onto MoAAM since ECC has low computation amount and small key size. It will aid in speeding up key generations, bidding, and verification. In terms of reduction of computation load on mobile devices and con-nected servers, the proposed method will make online auction sys-tem more convenient for users. In order to maintain a fair and secure auction, certain security features must be included, as follows (Lee et al., 2001):

(1) Anonymity: During the course of an auction, no one shall be able to ascertain the identity of another bidder.

(2) Traceability: The winner’s real identity can be disclosed at the end of the auction.

(3) No framing: The identities of all bidders remain indepen-dent. No person shall falsely claim to be any other bidder who participated in the auction.

(4) Non-forgeability: No one is able to forge another’s bid price. (5) Non-repudiation: The winning bidder shall not be able to

deny his/her bid price after the winner is announced. (6) Fairness: All bidding must be conducted in an open and fair

manner.

(7) Public verifiability: Anyone can verify the identity and bid price of past bidders.

(8) Unlinkability among various auction rounds: No one shall be able to determine the same bidder’s identity among differ-ent rounds of auction.

(9) Linkability within a single auction round: The bidders can repeatedly place new bid price within a single auction round and can be recognized by other bidders.

(10) Efficient bidding: In order to make the bidding efficient, pro-cessing time must be minimized.

(11) One-time registration: The bidder need only register once to participate in any number of auctions.

(12) Easy revocation: Registration Manager can easily revoke someone’s right to bid.

The rest of this paper is organized as follows. Section2explains how mobile auction agent model actually work in practice and pro-vide further explanation on Elliptic Curve Cryptosystem with examples. Section3shows our proposed method, which is about how to apply ECC onto MoAAM. Section4contains a security anal-ysis performed to examine our proposed method. Conclusions are finally drawn in Section5and recommendations for further studies given.

2. The related research

2.1. Mobile auction agent model (MoAAM) 2.1.1. Communication in MoAAM

MoAAM (Huang, 2008) is designed to enable users to use their mobile devices to participate in online auctions. MoAAM consists of four agents: (1) a personal agent, (2) a customer agent, (3) an auctioneer agent and (4) a broker agent. How these agents work in MoAAM through a web server is shown inFig. 2.1. Inside the mobile device, there is an interactive interface, called personal agent, which would connect with an agent house via the wireless network. In other words, a personal agent is a preset agent that operates on the mobile device and provides an interface to allow users to communicate with the Agent House server. The customer

Personal Agent Mobile Device Mobile Client (Customer) Wireless Network Customer Agent Wireless Gateway Broker Agent Auctioneer Agent Fixed Network with Web Service wireless

connection

SMS/Email notification

Agent House Server

SOAP

SOAP SOAP

Broker Agent Server

Auction House Server

agent, auctioneer agent, and broker agent all stores and operates in the fixed network.

The personal agent connects to the customer agent when a mo-bile network user wants to buy a specific product. Then the per-sonal agent sends the description of the desired products and price information to the customer agent. On the other hand, an auctioneer registers the information of products to broker agent. On receiving the user’s request, the broker agent generates an auc-tion list, that meets the user’s needs, and send it back to the user. If the user decides to purchase any auction item on the received list, a bid agent will be created by the customer agent and dispatched to an auction house server to join in the bidding.

2.1.2. The structure of MoAAM

The structure of MoAAM (Huang, 2008) is shown inFig. 2.2: (1) Primary Participants in MoAAM

(i) Broker agent: It is responsible for pairing up bidders and auctioneers. Moreover, it generates auction lists and provides bid price information for the users. (ii) Bid agent: An individual user would use it to

partici-pate in auctions and place the bids.

(iii) Auctioneer agent: Auctioneers use it as their represen-tative to manage the items they are selling.

(iv) Auction house server: A platform where online auc-tions take place.

(2) How Customer Agent Operates

The customer agent provides an interface with three differ-ent functions for the user:

(i) Query the broker agent: To request broker agent for list of registered auction items and bid prices for the same.

(ii) Specify the bid agent: A bidder sends his/her request and bidding information to the bid agent generator. The generator will create a bid agent from a template. (iii) Control the bid agent: This function allows the bidder to communicate with the bid agent and control the behavior of a bid agent.

(3) How Broker Agent Operates

First, the auctioneer needs to register his/her agent with the broker agent, and then the broker agent will store the auc-tioneer’s information in the database. When the customer agent sends a request for item information, the broker agent would reply with a list of recommended items to the cus-tomer agent.

(4) How Auction House Operates

The auction house server offers a web interface to allow the auctioneers to execute the following functions:

(i) Specify the auctioneer agent: An auctioneer sends his/ her request and auction information to the auctioneer agent generator. The generator will create an auctioneer agent from a template. The newly created agent and auc-tion informaauc-tion would be registered with the broker agent.

(ii) Control the auctioneer agent: This interface allows the auctioneer to communicate with the auctioneer agent and control the auctioneer agent’s behavior.

(5) Mobile agent platform

The mobile agent platform is where bid agent and auction-eer agent would be sent to as the auction starts.

2.2. Elliptic Curve Cryptosystem

In 1985, Elliptic Curve Cryptography (ECC) was proposed by

Ko-blitz (1987) and Miller (1986). The ECC was able to improve the

Agent Matcher Agent Register Query Broker Agent Control Agents Specifying Agents Bid Agent Interface for Specifying Agents Interface for Control Agents Auctioneer Agent Generator Bid Agent

Mobile Agent Platform Auctioneer Agent Agent Database User Interface Customer Agent Web System

Auction House Server

request for generated bid

agent

create bid agent from templat messages create auctioneer agent from template _messages register auctioneer agent request for generated auctioneer agent dispatch request for recommending the auctioneer agent Bid Agent Generator Broker Agent

existing cryptogram systems in terms of having smaller system parameter, smaller public-key certificates, lower bandwidth usage, faster implementations, lower power requirement, and smaller hardware processor requirement (Wu, 2005). Therefore, using the Elliptic Curve Cryptography to build a cryptosystem is commend-able by the reasons of high security and efficiency (Chung, Lee,

Lai, & Chen, 2008). The mathematic settings of Elliptic Curve

Cryp-tosystem are as described below (Chung et al., 2008; Shieh, 2006). First, elliptic curves can be divided into two families: prime curves and binary curves. Prime curves (Zp) are good to use in soft-ware application, because it does not require extended bit-fiddling operation, which binary curves require. Binary curves (GF(2n_{)) are} best for hardware application as it require a few logic gates to build a powerful cryptosystems. Second, the variable and coefficients of the elliptic curves are limited to the elements of the finite field. Be-cause of this limitation, it would increase the efficiency of ECC computing operation.

In the finite field Zp, defined modulo a prime p, an elliptic curve is represented as Ep(a, b): y2= x3+ ax + b(mod p), where (a, b) 2 Zp and 4a3_{+ 27b}2_{mod p – 0. The condition, 4a}3_{+ 27b}2_{modp – 0, is} necessary to ensure that y2_{= x}3_{+ ax + b(mod p) has no repeated} factors, which means that a finite abelian group can be defined based on the set Ep(a, b) (Huang, Chung, Liu, Lai, & Chen,in press). Included in the definition of an elliptic curve, a point at infinity de-noted as O is also called the zero point. The point at infinity O is the third point of intersection of any straight line with the curve, so that there are points including (x, y), (x, y), and O on the straight line.

For points on an elliptic curve, we define a certain addition, de-noted ‘‘+’’. The addition rules are given below.

(1) O + P = P and P + O = P, where O serves as the additive identity.

(2) O = O.

(3) P + (P) = (P) + P = O, where P is the negative point of P. (4) (P + Q) + R = P + (Q + R).

(5) P + Q = Q + P.

For any two points P = (xp, yp) and Q = (xq, yq) over Ep(a, b), the

elliptic curve addition operation, which is denoted as

P + Q = R = (xr, yr), satisfies the following rules: xr¼ ðk2 xp xqÞmod p yr¼ ðkðxp xrÞ  ypÞmod p ; where k ¼ yqyp xqxp   mod p; if P – Q 3x2 pþa 2yp   mod p; if P ¼ Q 8 > < > :

Given an equation of the form denoted as E23(1, 4):y2= x3+ 1x + 4 mod 23, a = 1, b = 4 2 Zp, and 4a3+ 27b2= 22 mod 23 – 0, points over the elliptic curve E23(1, 4) are shown in Table 1 (Johnson,

Menezes, & Vanstone, 2001).

Example 2.1. Let P = (7, 3) and Q = (8, 15) in E23(1, 4). When P – Q, we must derive k before calculating P + Q, as follows:

k¼ 15  3 8  7

 

mod 23  12 mod 23  12:

So, when k = 12, xrand yrcan be derived as shown below:

xr¼ ð122 7  8Þmod 23  129 mod 23  14; yr¼ ð12ð7  14Þ  3Þmod 23  87 mod 23  5:

Thus, P + Q = R = (14, 5).

To calculate 2P, P = (7, 3), we must first derive k as follows:

k¼ 3  7 2_{þ 1} 2  3 ! mod 23  148 6   mod 23  17

So, when k = 17, xrand yrcan be derived as shown below: xr¼ ð172 7  7Þ mod 23  257 mod 23  22

yr¼ ð17ð7  22Þ  3Þ mod 23  258 mod 23  18

Thus, P + P = 2P = (22, 18).

Although we can see point multiplication on the elliptic curve, we do not actually multiply one point with another. In fact, we have to use the equation, Q = k  P, in order to obtain a point on the curve. By assuming k is a natural number and Q and P are points which are on E, Q can be defined as P + P +  + P in k times. The security of ECC in the finite field is based on double-and-add algorithm, Q = k  P. Therefore, it is difficult to compute the result of k, even if the numbers of Q and P are given. This is the conun-drum of Elliptic Curve Cryptography and is also known as Elliptic Curve Discrete Logarithm Problem (ECDLP) (Guan & Jen, 2005). 3. Research method

The proposed method includes six phases: (1) Initialization, (2) Registration, (3) Transaction Public Key Generation, (4) Signature, (5) Auction Bidding, and (6) Winner Announcement. The whole process flow is shown inFig. 3.1. In the process, there are four main participants, which are Registration Manager (RM), Agent House (AH), Auction house (AUH), and Bidder (B).

3.1. The participants

(1) Registration Manager (RM)

(i) It is a unit for bidders to apply for registration. All bid-ders need to register only once. After that, they can participate in any number of auctions without needing to register again.

(ii) It is also responsible for storing the bidders’ identity information and corresponding secret parameters. (iii) It manages and maintains the bulletin board, which is

called BBRM.On the bulletin board, two types of infor-mation are to be posted. One is registration key and identity information of a bidder. Another is the pseu-donym that a bidder uses in a single auction round. Anyone can avail the posted information for identifica-tion verificaidentifica-tion. However, only the RM has authority to write and update the board.

(2) Agent House (AH)

(i) It is responsible for communicating with broker agent and creating bid agents.

(ii) It manages and maintains a bulletin board, which is called BBAH. The bidder’s transaction public key is posted on the board for verification purpose. However, only the AH has authority to write and update the board.

Table 1

Points over the elliptic curve E23(1, 4).

(0, 2) (0, 21) (1, 11) (1, 12) (4, 7) (4, 16) (7, 3) (7, 20) (8, 8) (8, 15)

(9, 11) (9, 12) (10, 5) (10, 18) (11, 9) (11, 14) (13, 11) (13, 12) (14, 5) (14, 18)

(3) Auction House (AUH)

(i) It provides the auction place, maintains the operations, and hosts the auctions.

(ii) It manages and maintains a bulletin board, which is called BBAUH. The bidding information of bidders and the winning bidder’s information will be posted on this bulletin board that. The information posted on the board can be used to verify a bidder’s identity. However, only the AUH has authority to write and update the board. (4) Bidder (B)

(i) One who participates and place bids in the auction. 3.2. System parameters

The system parameters are shown inTable 2. 3.3. Proposed method

3.3.1. Initialization

RM and AH establish system parameters and the steps are as follows:

(1) RM

Step 1: Set up a read-only bulletin board (BBRM) and post two kinds of information. One is registration key and iden-tity information of all bidders, the other is

pseud-onyms used by the bidders in the jth round of auction. RM is the only one that can write and update the bulletin board.

Agent House (AH) Registration Manager (RM) Bidder (Bi) Broker agent Auction House (AUH) BBRM {IDi, RKi} Ni, j BBAH PKAH Gj {Si, j, TPKi, j} BBAUH #1 #2 #3 (1) register {RKi, ki, i, i, IDi} (2) request (3) respond a list (4) apply for TPK (5) make a price and generate a signature (6)

apply for a Bid agent {TPKi, j, bidi, j, i, j, i, j} (7) generate (8) bidding (9) transmit {TPKi, j} (10) return #2 (11) transmit {Ni, j} (12) return #3 Steps 1 Registration

2~4 Generation of Transaction Public Key 5 Signature 6~8 Auction Bidding 9~12 Winner Announcement Bid agent Bid agent Bid agent {IDi, ki} DB Note #1 {TPKi, j, bidi, j, i, j, i, j} #2 {TPKi, j, (rj xS), Ni, j} #3 {Ni, j,H j (ki), RKi} PS

post #1 during the auction post #2, #3 after the auction

Fig. 3.1. Flow chart of MoAAM.

Table 2

System parameters.

p A big prime number

q A big prime number; q is the order of a generative point on an

elliptic curve and its value is within p þ 1  2pffiffiffip;

E Elliptic curve equation y2

= x3

+ ax + b(mod p), where a, b are real numbers and satisfy 4a3

+ 27b2

mod p – 0;

G A generative point on an elliptic curve with order as q;

F A point on an elliptic curve;

xF The value of the x-coordinate of point F on the elliptic curve;

yF The value of the y-coordinate of point F on the elliptic curve;

H(x) A one-way hash function, satisfying Hj

(x) = H(x,Hj1_{(x)) and}

H0

(x) = x;

SKAH AH’s private key;

PKAH AH’s public key;

Bi The ith bidder;

bidi,j A bid price that is placed by Biin the jth round of auction;

Ski Bi’s private key;

RKi Bi’s registration key;

ki, t1,i,

t2,i

Three secret parameters that are chosen by Bi;

Ni,j A pseudonym that RM creates for Biin the jth round of auction;

rj A random number chosen by AH in the jth round of auction;

Gj The public information published by AH in the jth round of auction;

TPKi,j A transaction public key that AH generates for Biin the jth round of

Step 2: Select a big prime number for p.

Step 3: Declare an elliptic curve equation, Ep(a, b): y2= x3+ ax + b(mod p), that satisfies (a, b) 2 Zp and 4a3+ 27b2 –0(mod p).

Step 4: Select and declare a generative point G with an order as q, which is a big prime number and its value should be within p þ 1  2 ffiffiffipp.

(2) AH

Step 1: Set up a read-only bulletin board (BBAH) and post the transaction public key and related information of all bidders on the board. AH is the only one authorized to write and update the bulletin board.

Step 2: Randomly select an integer SKAH2 [1, q  1] as the pri-vate key and use it to calculate the corresponding pub-lic key PKAH. The equation is as follows:

PKAH¼ SKAHG: ð1Þ

Step 3: Post PKAHon BBAH. 3.3.2. Registration

Before a new bidder (Bi) can join in an auction, he/she must first apply for registration with RM. On completing registration, RM will generate a pseudonym for Bi; the pseudonym can only be used in the jth round of auction.

Bishould first calculate all relevant parameters before register-ing with RM. The registration process is as shown below: Step 1: Birandomly selects an integer SKi2 [1, q  1] as the private

key and computes a corresponding registration key RKi. The equation is as follows:

RKi¼ SKiG: ð2Þ

Step 2: Birandomly selects an integer ki2 [1, q  1] as a secret parameter.

Step 3: Birandomly selects an integer t1,i2 [1, q  1] and computes the verification information (

c

i,

e

i). The computation steps are as follows:

F1;i¼ t1;iG ¼ ðxF1;i;yF1;iÞ; ð3Þ

c

i¼ HðxF1;ikyF1;iÞ; ð4Þ

e

i¼ ðt1;iþ

c

i SKiÞ mod q: ð5Þ

Step 4: Bisends the information {RKi, ki,

c

i,

e

i} and identity informa-tion (IDi) through a secure channel to RM. On receiving the information, RM processes the registration.

Step 5: RM authenticates the validity of {RKi, ki,

c

i,

e

i} by the fol-lowing equations: F0 1;i¼

e

iG 

c

iRKi¼ xF0 1;i;yF01;i   ; ð6Þ

c

0 i¼ H xF_1;i0kyF0 1;i   ; ð7Þ

c

0 i9

c

i: ð8Þ

If Eq.(8)holds, {RKi, ki,

c

i,

e

i} is valid. This proves SKiand RKi correspond to each other. In contrast, RM would refuse to accept the registration application from Biif the received information is forged.

Step 6: RM stores Bi’s identity information IDiand the correspond-ing secret parameter kiin its own database.

Step 7: RM would post Bi’s identity information IDiand registra-tion key RKion BBRM.

Step 8: Before the jth round of auction starts, RM would generate a pseudonym (Ni,j) for each bidder Bi. The order of all pseud-onyms would be randomly arranged and posted on BBRM. The equation is as shown below:

Ni;j¼ HjðkiÞRKi: ð9Þ

Step 9: Bican use Eq.(9)to compute his/her own pseudonym and verify that his/her pseudonym matches with the one that is posted on BBRM. If Bidoes not find his/her pseudonym on BBRM, he/she can appeal to RM.

3.3.3. Transaction public key generation

In the jth round of auction, Bican obtain auction information through AH who retrieves information about currently open auc-tions from the broker agent. The broker agent would prepare an auction list that matches the needs of Biand send the list back to the AH for Bito review. After Bidecides which auction he/she wants to participate in, Bihas to apply for a transaction public key (TPKi,j), which is managed by AH. AH would generate TPKi,jwith Bi’s pseu-donym on BBRMfor the bidder. The steps are as follows:

Step 1: AH randomly selects an integer rj2 [1, q  1] and com-putes public information Gj. Then, AH posts Gjon BBAH. The equation is as shown below:

Gj¼ rjG ð10Þ

Step 2: AH uses Ni,jand its own private key SKAHto generate a parameter Si,jand TPKi,jfor each Bi, and post the generated information on BBAH. The equation is shown as below: Si;j¼ SKAHNi;j¼ ðxSi;j;ySi;jÞ ð11Þ TPKi;j¼ rj xSi;j

 

Ni;j ð12Þ

3.3.4. Signature

Before Bistarts to participate in the auction, Bimust verify the TPKi,jgiven by the AH on BBAH. If the key is valid, Biwould calculate the corresponding signature with his/her bid price along with the related information. Subsequently, Bi can start participating in the bidding. The steps are as follows:

Step 1: Biuses AH’s public key PKAHto compute a parameter S0i;j, as follows: S0 i;j¼ ðH j ðkiÞ  SKiÞPKAH¼ xS0 i;j;yS0i;j   ð13Þ

Step 2: Bicombines his/her private key SKiand parameter S0i;jto generate TPK0 i;j, as follows: TPK0 i;j¼ ðH j ðkiÞ  xS0 i;j SKiÞGj ð14Þ

Bimust check that S0i;jand TPK 0

i;jmatches with the informa-tion posted on the BBAH; if not, Bican appeal to AH. Step 3: Birandomly selects an integer t2,i 2 [1, q  1] and decides

on a bid price bidi,j. Afterwards, a corresponding signature {

a

i,j, bi,j} is created, as shown below:

F2;i¼ t2;iGj¼ ðxF2;i;yF2;iÞ ð15Þ

a

i;j¼ HðxF2;ikyF2;ikbidi;jÞ ð16Þ bi;j¼ ðt2;iþ

a

i;j H

j

ðkiÞ  xSi;j SKiÞmod q ð17Þ 3.3.5. Auction bidding

Before the start of the auction, Bineeds to obtain a bid agent from the AH. After a bid agent is acquired, Bi, then, is allowed to bid. The bidding process is as follows:

Step 1: Bishould first send out the bidding information {TPKi,j, bid i,-j,

a

i,j, bi,j} to AH and apply for a bid agent.

Step 2: After the AH receives the bidding information from Bi, {TPKi,j, bidi,j,

a

i,j, bi,j} has to be verified. The equations for verification are as shown below:

F0

2;i¼ bi;jGj

a

i;jTPKi;j¼ xF02;i;yF02;i

  ð18Þ

a

0 i;j¼ H xF0 2;ikyF 0 2;i   ð19Þ

a

0 i;j9

a

i;j ð20Þ

If Eq.(20)holds, this proves that {TPKi,j, bidi,j,

a

i,j, bi,j} is valid, and vice versa. AH can reject the bidding request from Biif the received information is false.

Step 3: AH uses the bidding information to create a new bid agent for Bi. The new agent is then sent to the selected AUH to represent Biin the auction.

Steps 1, 2, and 3 can be skipped if the bid is placed more than once. Only the bidding information would be verified. Step 4: When the bid agent arrives at the AUH, the TPKi,j is checked to see that it matches that posted on BBAH. If not, AUH can reject Bi’s application.

Step 5: AUH verifies the bidding information {TPKi,j, bidi,j,

a

i,j, bi,j} like in Step 2. If Eq.(20)holds, it means that {TPKi,j, bid i,-j,

a

i,j, bi,j} is valid.

Step 6: AUH posts the bidding information {TPKi,j, bidi,j,

a

i,j, bi,j} on BBAUH. Anyone can use the equation listed in Step 2 to ver-ify the bidding information of Bi.

3.3.6. Winner announcement

When the jth round of auction ends, the one who places the highest bid price would be announced as the winner. Then AUH would take the winner’s TPKi,jto reconfirm the winner’s informa-tion, Ni,jand RKi, with AH and RM. Afterwards, the result would be posted on BBAUHand can be used by anyone for verification pur-pose. The steps are as follows:

Step 1: AUH takes the winner’s TPKi,jto AH and ask for the pseudo-nym Ni,jused by the winner.

Step 2: AH returns the information fTPKi;j;ðrj xSi;jÞ; Ni;jg to the AUH.

Step 3: AUH can use Eq.(12)to confirm the relationship between TPKi,jand Ni,j.

Step 4: AUH takes the winner’s Ni,jto RM and ask for the winner’s RKi.

Step 5: RM returns the information {Ni,j,Hj(ki),RKi} to the AUH. Step 6: AUH can use Eq.(9)to confirm the relationship between

Ni,jand RKi.

Step 7: The AUH will post the winner’s information,

fTPKi;j;ðrj xSi;jÞ; Ni;jg and {Ni,j, H j_(k

i), RKi}, on BBAUH. The winner’s information on BBAUHcan be obtained by anyone to verify again by using Eqs.(9) and (12).

4. Security analysis

Security requirement for the online auction protocol (Lee et al., 2001) are examined as follows:

(1) Anonymity

Unless RM and AH work together to reveal the identity during the auction, nobody else can determine the identity of a bidder. We analyze the anonymity of bidders from the perspectives of RM, AH, and AUH.

(i) AUH is only authorized to obtain the bidding informa-tion {TPKi,j, bidi,j,

a

i,j, bi, j}. {

a

i,j, bi,j} is the signature for bidi, jand TPKi,jis a key for verification. Thus, AUH can only use TPKi,j to verify the signature and compare TPKi,jto the one that is posted on BBAH. AUH cannot determine the identity of a bidder.

(ii) AH merely knows the relationship between Ni,j and TPKi,j; thus, it does not have enough information to be able to recognize the bidder.

(iii) Although RM has all the bidder’s identity information, it is still unable to derive the corresponding Ni,jfrom TPKi,j. (2) Traceability

Anyone can get fTPKi;j;ðrj xSi;jÞ; Ni;jg and {Ni,j,H j_(k

i),RKi} from the BBAUHand use Eqs.(9) and (12)to verify the winning bid-der’s identity.

(3) No framing

Unless attackers get the Bi’s SKi, Bi’s signature cannot be forged. Even if attackers get the RKiand intend to derive the SKifrom the RKi, it will be difficult for him/her to obtain SKibecause of the Elliptic Curve Discrete Logarithm Problem (ECDLP).

(4) Unforgeability

Attackers will be unable to calculate the transaction public key by using the equationTPKi;j¼ ðHjðkiÞ  xS0

i;j SKiÞGjor forge any valid bidding information {TPKi,j, bidi,j,

a

i,j, bi,j}. The rea-son can be explained in three aspects.

(i) Attackers cannot obtain Bi’s SKi, Kiand Si,j.

(ii) Attackers have to spend a great deal of time trying to

solve ECDLP, even if they manage to obtain

ðHjðkiÞ  xS0 i;j SKiÞ. (iii) Because Hj_(k

i) is different in each around of auction, the bidder’s pseudonym Ni,jand transaction public key TPKi,j would also be different in each around of auction. (5) Non-repudiation

Signature is hidden inside the bidding information and it has the characteristics of no framing. Therefore, the winning bid-der of the auction shall not be able to deny his/her signature. (6) Fairness

All bidders use pseudonyms to join in the auction. AUH will post the valid bidding information on the BBAUH. If Bidoes not find his/her bidding information, he/she can appeal to AUH. In this way, AUH can handle all bidders’ information with fairness.

(7) Public verifiability

Anyone can confirm the validity of the bidder, the validity of a bid, and the winning bidder’s real identity.

(8) Unlinkability among various auction rounds

The pseudonym generated by RM and the transaction public key generated by AH are different for each auction. Unless RM and AH share these keys with each other, no one else can know Bi’s relationship with the various auction rounds. (9) Linkability within a single auction round

Within a single round of the auction, Biholds the same TPKi,j to place a bid in the auction. How many times a bidder places bids and who has placed a bid can be traced. (10) Efficiency of Bidding

The Elliptic Curve Cryptosystem can reduce the computation loads that are generated by online bidding operations. (11) One-time registration

Bidder uses a pseudonym Ni,jto participate in the auction. Hence, Bionly needs to register once with RM.

(12) Easy revocation

It is easy for RM to delete the bidder’s identification and secret parameters from the database. Once the information is removed from the database, the bidder loses the right to participate in auctions.

5. Conclusion

This paper puts forward an agent-based English auction proto-col to allow bidders to obtain information and participate in auc-tions using an agent. Our security analysis shows that our

proposal clearly satisfies all of the security requirements of online auction protocol, such as anonymity, traceability, fairness, and so on. Since we recognize that, inherently, mobile devices have weak-er computation capability, we employ Elliptic Curve Cryptosystem on the mobile agent to give it a lower computation amount and small key size, both of which helps in reducing the time consumed by verification and computation. This is a means to make online auction on mobile devices more efficient and convenient. As wire-less networks continue to be used extensively, our proposed meth-od uses only the least possible amount of wireless data exchange for the sake of better security. In the future, we plan to focus on enhancing data protection in relation to auctions.

Acknowledgements

The authors are very grateful to the anonymous reviewers for their constructive comments which improved the quality of this paper. This work was supported by National Science Council of Tai-wan, ROC under Grant NSC 99-2221-E-029-023.

References

Chang, C.C., & Chang, Y.F. (2006). Enhanced anonymous auction protocols with freewheeling bids. In 20th international conference on advanced information networking and applications. Vol. 1 (pp. 353–358).

Chang, C. C., & Chang, Y. F. (2003). Efficient anonymous auction protocols with freewheeling bids. Computers and Security, 22(8), 728–734.

Chung, Y. F., Lee, H. H., Lai, F., & Chen, T. S. (2008). Access control in user hierarchy based on elliptic curve cryptosystem. Information Sciences, 178(1), 230–243. Guan, D.J., & Jen, L.H. (2005). Study and implementation of elliptic curve

cryptosystem, Master’s Thesis, National Sun Yat-Sen University of Technology, Kaohsiung.

Huang, Z.X. (2003). Applying data mining to analyze online auction market, Master’s Thesis, Chaoyang University of Technology, Taichung.

Huang, K.H. (2008). Mobile auction agent model using agent-based english auction protocol, Doctoral Dissertation, National Taiwan University, Taipei.

Huang, K. H., Chung, Y. F., Liu, C. H., Lai, F., & Chen, T. S. (2009). Efficient migration for mobile computing in distributed networks. Computer Standards & Interfaces, 31(1), 40–47.

Jiang, R., Pan, L., & Li, J. H. (2005). An improvement on efficient anonymous auction protocols. Computers and Security, 24(2), 169–174.

Johnson, D., Menezes, A., & Vanstone, S. (2001). The elliptic curve digital signature algorithm (ECDSA). Information Security, 1, 36–63.

Koblitz, N. (1987). Elliptic curve cryptosystems. Mathematics of Computation, 48(177), 203–209.

Lee, F. M., Chen, J. P., & Hung, J. W. (2000). Applying software agent on internet auction and bargaining system. Institute of Information and Computing Machinery, 3(2), 67–80.

Lee, B., Kim, K., & Ma, J. (2001). Efficient public auction with one-time registration and public verifiability. In Second international conference on cryptology-DINDOCRYPT 2247(pp. 162–174).

Miller, V.S. (1986). Use of elliptic curves in cryptography, advances in cryptology. In Proceedings of Crypto ’85. Vol. 218( pp. 417–426).

Nguyen, K.Q., & Traore, J. (2000). An online public auction protocol protecting bidder privacy. In 5th Australasian conference on information security and privacy. Vol. 1841 (pp. 427–442).

Omote, K., & Miyaji, A. (2001). A practical english auction with one-time registration. In 6th Australasian conference on information security and privacy. Vol. 2119 (pp. 221–234).

Peng, F. C., Chang, C. O., & Chen, M. C. (2008). A study of influence of different auction mechanism to no-performing assets. Sun Yat-Sen Management Review, 16(3).

Shieh, C.W. (2006). An efficient design of elliptic curve cryptography processor, Master’s Thesis, Tatung University, Taipei.

Wu, S.T. (2005). Authentication and group secure communications using elliptic curve cryptography, Doctoral Dissertation, National Taiwan University of Science and Technology, Taipei.

Wu, T. C., Chen, K. Y., & Lin, Z. Y. (2002). An english auction mechanism for internet environment. In ISC 2002 (pp. 331–337).